Last Week in the News: NSA’s Confessions and Apple ID Hijacking

Last week brought us a host of news stories, including a handful of highlights. As usual, we have collected the most interesting security news and are bringing it to you in a single post.

NSA rats on IT companies
To begin here is a small, yet sensational, news story. During last week’s Privacy and Civil Liberties Oversight Board (PCLOB) meeting, NSA’s principal consultant, Rajesh De, confirmed that industry giants, including Facebook, Google, and Yahoo!, were aware of a bulk collection of user data by the US intelligence service. News of these actions wasn’t completely unexpected, but getting an official confirmation is a different story. What makes this most suspicious is the fact that the aforementioned companies previously blatantly rejected any accusations of having any alleged involvement in massive intelligence collections of citizen data. Some companies (we won’t publicly blame anyone, for the sake of Apple’s fandom’s feelings) even stated that they have ‘never heard of Prism’. We’ll see how they try to put an end to the ‘nasty accusations’ this time around.

An OS tailored for smart watches
The newly announced operational system developed by Google, for increasingly popular smart watches and other types of ‘wearable devices’, was dubbed Android Wear. The announcement was published Tuesday on the company’s corporate blog, coinciding with Motorola and LG’s new smart watch announcements. The OS is predictably based on Android, but, unlike its predecessor, is intended to be used more for voice than for touch (just like Google Glass). The OS is capable of managing any Bluetooth-enabled peripherals, even the garage gates. The horizon of opportunities for hackers is therefor… well, unbelievable.

How Microsoft charged FBI
“If you cannot win – then command”, the saying goes. “If you cannot command – then at least earn”, Microsoft added. According to the Syrian digital army, the famous global corporation earned over $100 for each case of personal data exposure that was performed by demand of the FBI. The hackers confirmed that at least during September 2012, the FBI spent over $145K on these activities. Last year, one case of user data exposure cost $100, but in 2013 this price grew two-fold. As far as the legitimacy of these activities is concerned, Microsoft claims the FBI wasn’t charged for a piece of the action, but for time spent on carrying out a legitimate request. Time is money you see.

Gmail is now fully HTTPS’ed
It’s strange that it happened in 2014, but from now on, all Gmail activities will be carried out through ‘https’ secure protocol. Regardless of the fact that Gmail has been using encryption since day one, some actions up until now were carried out through unsecured channels. Now users simply do not have any choice: not only is the https connection enabled by default, it cannot be disabled. Moreover, correspondences are to be encrypted when messages are sent to an addressee, as well as when they’re circulated between Google’s internal servers, which is a crucial development.

Apple ID hijacked in Electronic ArtsRecently, the hacking of the renowned game distribution platform, Electronic Arts, was reported. It’s interesting to note that the company’s data was not the primary target for the attack; the culprits instead went after users’ Apple ID credentials. The hackers employed a very elegant strategy to achieve their goal. Having hacked ea.com, they launched a carefully parroted phish website, copying Apple’s credential request form on the company’s subdomains, that also provided an opportunity to hijack credit card credentials. The report does not elaborate on the number of victims, and what is even more curious is the fact that EA never publicly acknowledged that the phish website page ever resided on their servers. And that is fishy, or ‘phishy’, we should say.